Change record status: 
Project: 
Introduced in branch: 
8.x
Description: 

In Drupal 7, the image_style_options() API function returns sanitized output by default, appropriate for insertion directly into an HTML page. When image style labels were added in Drupal 7.23, an optional PASS_THROUGH parameter was added to this function to skip sanitization in cases where it is unnecessary.

In Drupal 8, the sanitization has been removed, and it is up to the calling function to ensure that the output is sanitized when required.

Example involving select lists

Drupal 7:

<?php
  $form
['image_style'] = array(
   
'#title' => t('Choose an image style'),
   
'#type' => 'select',
   
// The PASS_THROUGH parameter is used to prevent image_style_options() from
    // double-encoding the human-readable image style name, since the form API
    // will already sanitize options in a select list.
   
'#options' => image_style_options(FALSE, PASS_THROUGH),
    ...
  );
?>

Drupal 8:

<?php
  $form
['image_style'] = array(
   
'#title' => t('Choose an image style'),
   
'#type' => 'select',
   
// The output of image_style_options() is unsanitized, so we just let the
    // form API sanitize it for us.
   
'#options' => image_style_options(FALSE),
    ...
  );
?>

Example involving radios or checkboxes

Drupal 7:

<?php
  $form
['image_style'] = array(
   
'#title' => t('Choose an image style'),
   
'#type' => 'radios',
   
// The PASS_THROUGH parameter is not added in this case, since the form API
    // does not sanitize radio button labels, and we therefore want to allow
    // image_style_options() to sanitize them.
   
'#options' => image_style_options(FALSE),
    ...
  );
?>

Drupal 8:

<?php
  $form
['image_style'] = array(
   
'#title' => t('Choose an image style'),
   
'#type' => 'radios',
   
// Sanitize the image style labels before inserting them into HTML.
   
'#options' => array_map('check_plain', image_style_options(FALSE)),
    ...
  );
?>
Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done